r77 | 801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893 | Triage

Sharing

General

Target

Client3245tt3q45.exe
Size

29KB
Sample

231113-232c1sfh99
MD5

85253b35dcea8e7131541bd1ede1f686
SHA1

6c69103a6719fd3c612d992e56eb863b025d7433
SHA256

801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893
SHA512

e1fb5c89c78a9ce1cccbecc236b9dd6c16affe5d78b652e9b19b8fb1df43b4c2956ccc864e872d99ed067d3e83f1ed8731586dc38966246132c31a7c1d5813f8
SSDEEP

768:GecUMOOo5HCljU0rDdIA/MDMAP79xt3C2hGXbGjD:5MON5KIAUDdT973C2hObg

Score

10^/10

r77 evasion persistence rootkit spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Targets

- Target
  
  Client3245tt3q45.exe
- Size
  
  29KB
- MD5
  
  85253b35dcea8e7131541bd1ede1f686
- SHA1
  
  6c69103a6719fd3c612d992e56eb863b025d7433
- SHA256
  
  801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893
- SHA512
  
  e1fb5c89c78a9ce1cccbecc236b9dd6c16affe5d78b652e9b19b8fb1df43b4c2956ccc864e872d99ed067d3e83f1ed8731586dc38966246132c31a7c1d5813f8
- SSDEEP
  
  768:GecUMOOo5HCljU0rDdIA/MDMAP79xt3C2hGXbGjD:5MON5KIAUDdT973C2hObg
Score

10^/10

evasion persistence spyware stealer r77 rootkit
- r77
  r77 is an open-source, userland rootkit.
  rootkit r77
- r77 rootkit payload
  Detects the payload of the r77 rootkit.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Modifies AppInit DLL entries
  persistence
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencespywarestealer

behavioral2

r77evasionpersistencerootkit